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There's even a statistical program for looking up the stuff.
Now detection methods.
It's actually really easy.
The first time was just a quick hack.
I basically, like I said, just took the Lucent card, used its ability to detect things.
Older 802.11 cards don't do this.
Some vendors don't do this.
If you have a Lucent card that doesn't work, backflash it to the firmware release back
in November or January.
Lucent kind of removed some of these features from the latest revisions because people were
doing this stuff.
To set your SID to any, if you're under FreeBSD, set your SID to a null string, and your card
becomes a little slut.
It'll just hook up to any AP in the area and just, you know.
The script I run just resets polls, as I said, detects.
If you think about it, right road is really inefficient, but there's so much out there,
it works really well.
I mean, literally, I could drive at about 80 miles an hour down the freeway and lock
onto people's access points and home access points.
No problem.
I had, my first version of the program actually had a bell that rang every time I found an
AP.
I took that out of the code real fast.
You drive, you come, you drive along, there's this bing, bing, bing, your friend's like,
is something wrong?
Is your car okay?
Yeah.
Door's open.
Yeah.
Key's ignition.
Like I said, the data's a long process.
People who are writing code like this, I encourage you to.
I actually am working on some stuff, which I'll talk about later.
This stuff is pretty good because it actually keeps the log.
One nice thing about this is it actually outputs the file in the same format as my script so
I can do post processing.
See, as you drive down a road or street, you get points along the street of different
ways, basically different signal strengths.
Well, if you quantize your location to do a grid and then do averaging, I could actually
find which building your AP is.
So if you drive up First Street and drive up Second Avenue, you can calculate where
it is.
Or if you're driving around a business park and you just circle the complex, I could
tell you what building and sometimes even like what area of the building the whole thing's
connected to.
Skip it.
What's that?
Skip on.
Yeah, well, officially, I only look at IP headers.
I will not look at anybody's personal data.
That's my story and I'm sticking to it.
Now, long distance.
Okay.
Matt, who's out here somewhere.
Matt, yeah, who's out here somewhere.
We and him got together one day and decided to go up to the Berkeley Hills.
And actually, you beat this record, did you, recently?
The distance record?
You beat our first distance record, didn't you?
Yeah, you got a 20-mile link.
The fun part about this is, I'll show you a picture of it later, a nice 24 dB antenna
got up on the hills, pointed it to the far, literally at the horizon in San Francisco,
and I got into an office AP.
Now, there are APs out there with big antennas and amplifiers, but the one I actually was
able to bump into was this corporation with an AP sitting on somebody's desk.
I did this over 13 miles away.
So the managers out here, which I'd love to pick on, who think, well, it's not a problem.
We have a security team.
We'll spot any of these long-haired hackers in a car sitting in our parking lot.
Sorry.
Okay.
Simple geometry here.
You're on the ground at sea level.
The horizon's three miles away.
We were up there.
We're up on a hill in Berkeley.
Our horizon's 35 miles.
They were 13.
So theoretically, I was hacking them from over the horizon.
Go ahead.
Keep looking in your parking lots for me.
I'm the car, I'm the black car doing 80 miles an hour by.
I mean, it's, oh, yeah.
So the important part about this is we were able to locate APs.
I knew who they were because Wyatt, my friend, had driven around the area.
Like I said, we do the triangulations.
We knew exactly what it was.
We pointed the dish at San Francisco, marked down all the MAC addresses that we discovered,
cross-referenced.
We had a GPS in the database.
So I knew the remote location, typed into the GPS, over 13 miles, no problem.
And he did some similar things another day, breaking 20.
This is the view from Matt and I had up in the hills.
Those of you familiar with Berkeley, that's the Campanile.
This is all Berkeley campus.
That's Emeryville.
You know, Emeryville is one big piece of landfill.
Got the Bay Bridge and, of course, San Francisco.
Okay.
Nice little view there.
And this is really scary.
Can you see the buildings in San Francisco?
Yes.
Well, we could barely see them.
We had access to every one of their lands.
It was actually, well, we actually had, we were going to set it up to show you.
We actually have a tripod mount for the whole dish.
Really hot.
Wyatt did a really good job on that.
But with this, I was actually holding up the dish, pointing across it, and, you know, Matt's
reading off the data.
It's like literally just every, you know, every time a thing moved even half a degree.
We got another land.
It's like a pig's in a barrel.
That's myself holding up the dish.
Dishes are really cheap, only 80 bucks.
Antenna systems, you can buy them as low as 30, I believe.
Well, not always.
It's actually, now that the ISPs are going out of business, cheap hardware.
Go on.
Here's Wyatt modeling the Yagi system, which didn't work as well as planned.
It's a little bit of a mess.
That's a 15 dB Yagi.
It's okay for direction finding, but not for long-distance snooping.
So if you're going to do the long-distance stuff, you need to really go with the high
dB dish.
The 15 dB Yagi just doesn't cut it.
One little thing, always have your portable power supply.
RadioShack sells a nice little toy.
Gives you 7 amp hours of 12 volts.
You know, enough to power your laptops for three or four hours.
It kicks ass.
Now the next thing we're doing, the way people are going to ask, well, how do you secure
things?
Well, the way you secure things, typically, is you turn off beacons.
You want to use web.
You know, web's been cracked.
But you want to use web because it stops a casual person like me from pulling over and
checking my email.
That's going to stop 80% to 90% of the people trying to hack into your system.
The only way to really secure a site these days is to basically set up a DMZ zone.
Only allow IPsec through.
So have the router that's a DMZ, or the firewall that's a DMZ.
Only allow IPsec connections for authentication.
And that has to be a wireless network.
Other than that, you're screwed.
Unless you're willing to open up free networks, in fact, I'm going to drag Matt up here in
a second so we can, a little bit later, so we can talk about the idea of free networks.
Yeah, he's like, yeah, right, Pete, thanks.
But the next generation we're talking about is the Prism, well, there's various chips
available.
The Prism 2 chips are really fun.
They're drivers for Aeronet.
They're patches for FreeBSD.
I'm talking to a friend who's committing them to the tree right now.
Hmm?
Oh.
Prism cards.
Huh?
Oh.
We'll get to that in a second.
But basically, with these cards, most hardware places don't let you read the packets, especially
the web packets.
Turns out with the Prism cards, you can.
You just suck the data up, you crack your web, but the way you secure your network is
you turn off the beacons.
All this stuff over here is doing is reporting all the AP beacons that it sees.
Turn off your beacons, your automatic network configuration doesn't work, you have to know
the net ID, you have to know the channel to get your network to work, but at least people
don't drive by, stop in your parking lot, and pick up your beacons.
It hasn't been held up in court yet, but there's an argument.
If you're transmitting a beacon saying, hi, here's an access point, talk to me, and I
receive it, am I illegal, am I gray area?
Actually, it's debated.
Receiving your IP packets is a different story, but actually just intercepting your beacons
and logging it is still open.
What we're doing next is in about two or three months, I was actually hoping to do it by
DEF CON, but a friend gave me tickets to London and I got really drunk, so I didn't write
the code.
Effectively, we're putting out some code, it's going to basically do all the Prism,
there's always some Prism dump stuff out there, in fact, do a search for Prism dump,
runs on Linux, does nice things.
Some of that has a base, a nice little utility that works on the Unix, does all the right
things, but your network will not be able to hide.
Now, anybody can do this with a Lucent card.
Again, we'll show some more.
Next.
What the hell?
Let's repeat.
Oh yeah, this is a fun one.
Now, for those of you who didn't bother installing software but just have the standard Lucent
stuff installed, you don't need special software, you don't need to run FreeBSD, any Windows
machine with Lucent card could work.
Set your SID to any, go into your client manager, click on advanced site monitor.
This is a picture that I got from Matt.
He was standing on Fremont Market, which is one of the center of the business section,
and those amount of available networks.
I believe what Matt was telling me when he ran Etherpeak, I believe, for the first time
on that sidewalk, the Etherpeak crashed from all the packets.
That much data.
If you notice, these people have no idea what they're doing, because everybody's set
up on the same frequency.
So basically, people are setting it up, they have no idea if there's somebody else next
to them, none of them are getting decent bandwidth, but literally, the standard, this is already
installed on your Windows machine, it'll tell you what networks are around.
You just click on that and have fun.
You don't need a GPS, you just walk down the street.
And by the way, the casinos have wireless LANs.
Yeah.
Now, statistics.
This is the fun part.
This is why I'm doing this.
I'm doing statistical generation of things, and I'm trying to find out, you know, what
is the problem, what else is going on in the world, and what's going on.
Well, so far I've spent, well, many a day and afternoon, usually get a friend who's
good to talk to, we take turns driving.
I'm kind of as fun as my friend's Outback, because so much room in that thing, lots of
power plugs.
And you've got two sunroofs for extra antennas.
I've currently got about 1,500 APs located in the Bay Area.
This is not enough for a good statistical, you know, those of you who stayed awake during
statistics in school, this is not enough of a sample.
But I'm working on it.
But so far, this is the scary part.
You know, over 85% don't use encryption.
Those running WEP usually use a default key.
Default keys are 10, 11, 12, 13, or 1, 1, 1, 1.
Zam, if you run into him around here, he has a nice little file actually he's built quite
nice of statistics.
All the different APs.
What the default SID is for that type of card or AP.
What the encryption type is.
The data that Pete just talked about is archived on the Wisconsin 2600.org web server slash
media horror slash NF0 slash wireless.
Contains all sorts of things from Dane County and around Milwaukee.
Including a few hospitals who probably shouldn't have patients staying there anymore.
Didn't you mention you had better network connections to the hospital than you do at home?
How many hops were they from above net?
How many hops were they from above net?
A place that does medical imaging in Madison is like two hops from above net.
They appear to have some insane pipe to their office.
They just do video creation.
I'm sorry.
There's a place in Madison we found.
I don't remember the URL.
I want to say it was Illustrated Ideas or something like that.
They do some insane medical imaging.
And they have insane pipe.
And trace writing from their network it was two or three hops from above net.
From my laptop I could hit things in six to seven milliseconds in a parking lot faster
than I could from the DS3 at the university.
So it was okay.
I would not complain.
Yeah.
He's pretty much doing the same thing I'm doing but in his area.
One last thing.
.
The file Pete talked about is called defaultsids.txt.
And I've been keeping a versioning history of this.
As I get an AP to play with I just commit the data.
Interesting things.
Authentication it uses.
Allowing.
How you manage it.
All sorts of stupid details.
Default max.
That kind of thing.
And it's basically just kept in a file.
I update it every month or so as I learn new shit.
So just give it a shot.
It's in just media horror slash info slash wireless.
Yeah.
There's some funny stuff in there.
Like until recently.
Anybody here have a home links to SAP?
Have you upgraded your firmware yet?
Home links to SAPs don't have a password.
Oh yes.
Yeah.
That's the mount for the antenna which we probably forgot to bring.
So we'll get back to statistics.
Basically some people barely run in WEP.
Most of you use default keys.
You run into a network running WEP.
Try.
Key one is 10, 11, 12.
Key two is 20, 21, 22.
Trust me.
It'll work a lot of the time.
Don't bother trying to crack the WEP.
You guess it most of the time.
.
Most of them are wide open.
You won't believe how many BGP packets and RIP packets I see driving down the street.
I mean if you're seeing BGP over that, that means you're next to one of the core routers
talking to another core router and their AP is in a place where their pants are down.
So you're probably going to have to make a decision.
I don't know.
I mean we all know about routing protocols.
If I was to start transmitting a few routing updates to their network, they'll never fucking
figure out what happened.
I mean seriously.
I mean you just forge an address, set a routing update.
It gets inputted.
It might even propagate over the internet.
They'll never figure it out.
And don't even think that the AP is going to, you know, my, you know, my MAC address
is going to tell you anything.
When I drive around my MAC address, it's officially dead, dead, dead, dead, dead.
It's kind of a running joke that Bay Area Wireless uses.
Group.
.
Group.
Because people report, yeah, we saw you drive by.
You popped up on our list.
So it's a running joke.
Statistics.
Here's the top ten SIDs.
I know these are all default.
Wavelength Network, Airwave.
That's Cisco.
By the way, when you see any of these as a SID, that means they didn't bother changing
it.
Which means they probably didn't change many other things like the password or the web
key or any other default configurations.
The Apple Airport with the hex.
That's Cisco.
Those are basically people with Macintoshes with a card in it running in AP mode.
Based on the SIDs and other things, SIDs and basically not using weapon stuff, 60% APs
are running in the default configuration.
Five years.
Right.
This is why I've stumbled upon recently.
I think it's really interesting.
We all know about Dan Farmer's, you know, he has his pants down, you know, paper he
put out.
We showed that 60% of machines on the internet are vulnerable.
Of those 60, 40% are just like outright wide open.
That's a well-known paper.
It's been published way too often.
I did the war dialing thing.
Exact same statistics.
So now doing this other stuff, I find the exact same statistics.
Which means we're looking at a constant here.
Go on.
Results agree.
60% show signs of weakness.
33% have problems and holes.
This shows we have a constant insecurity.
In other words, companies say, oh, we get on the internet, we're going to be insecure.
I show that's bullshit.
I show there's more ways of breaking the computers through dial-up than there is over
the internet half the time.
So Dan Farmer has shown that most machines are wide open on the internet.
I'm showing they're open on dial-up and wireless.
I'm talking to some other people who are going to start taking better statistics and showing
that they're wide open via physical audits.
And if we could show a common of 60% is no longer the fact that internet gives you security
problems.
Or dial-ups give you security problems.
Just 60% of companies are insecure.
We know this, but they're not going to listen until we prove it.
So if I wireless survey shows same numbers, as I said, it basically infers a definitive
constant.
Those of you who are heavily into the security field, this is actually a really juicy thing
because when you write or you basically respond to RFPs and stuff like that, you can convince
them to pay you lots of money because they have problems.
Go on.
Next slide, please.
Now, here's some, I guess, eye candy for you guys.
We generated some maps.
These maps were a little bit skewed as we were working on it.
That's San Francisco.
That was a 25-minute drive.
Actually, I think that's the drive where me and Kevin Paulson basically jumped in the
car for about an hour and just spun around and literally ...
It's a 25-minute hour?
Well, we spent about 25 minutes driving around.
It was about an hour total on the road, but most of this data was collected within literally
within half an hour.
I mean, talk about ... Come on.
Fish in a barrel here.
It's really not funny.
Next.
Here's another drive where you hit different areas.
You get some really good ones in here.
I can't really see all the SIDs, but literally, I was driving around London and got the exact
same statistics except for I had SIDs like Britney Spears.
I don't understand that one.
Here's yet another map of even more data.
Yeah.
Actually, some of these weren't there.
Actually, a lot of these were actually transmitting from here, but with such a clean signal path,
they're appearing here.
This is a drive when Wyatt and I drove around for, I guess, most of the afternoon, actually.
But Wyatt and I concentrated on areas that I hadn't hit before, which were, I guess,
upper middle class that didn't have too many wireless access that were driving through the
parks and stuff.
But we still got quite a few just by driving around.
And one thing about driving around collecting these things, you'll find networks where you
don't expect them.
In this area, okay, you've got the hate right here is loaded.
In fact, this does not do justice.
This is the first script that only puts the first 64 networks on the map.
But it doesn't make a difference because they're all on top of each other anyway.
The hate's really crowded.
You walk down the hate, not actual hate, but page or call went on the side.
It's like two or three networks per block.
It's all the little Gen Xers.
Got the little apartments with their little guys.
Got the girlfriends.
And they all got wireless networks.
Now, around here is what's called South of Market.
That's where the old dot com things were.
You couldn't find a place for your front teeth.
But now, all of a sudden, all the dot comers failed.
But you still drive around that area, you'd think, this is where all the startup places
are.
Even when the startup places were there, there weren't that many wireless networks.
It's kind of weird.
Matt's is there, but he likes it there.
Matt actually likes it.
He actually has an open AP for people to actually openly use stuff, but he'll talk
about that later.
So driving around here, here's a cool little trip, I think.
I think this is actually the first time I drove around, Silicon Valley.
I might recognize some companies.
I love Ed's tech office.
I'm not sure if the numbers showed up here or not.
Downsville, Nokia, Waveland.
There's actually some serious funding.
Yeah.
There's some capital venture companies I found.
It's kind of scary.
Mind you, these are mostly along the freeways.
The majority of these were just me just driving on the freeways at high speed.
Now this opens up another big question.
What's free?
Matt, myself, a lot of other people, Cliff, believe that we should make an effort to set
up free open lands.
But how do you tell what's free?
What scenario do I bring you?
You're right.
Okay.
All we know is Starbucks is now offering a pay-per-use wireless access.
Okay.
You walk into Starbucks.
You set your ID to any.
You're in Starbucks.
You're typing away, checking your email.
You're paying way too much for access, but you're still there.
You're doing this stuff.
You walk up.
You turn your back.
Maybe put yourself between the AP or something else.
And the company across the street gets associated with your card.
Now you're doing your traffic through the corporation land across the street.
Okay.
You get arrested.
What if they have a clue and figure out what you're doing?
You get arrested.
Do you try to break into their network?
No.
You walked up.
You paid the typically kid behind the counter the bucks to use their wireless land.
You're trying to be legit.
But no.
The other company transmitted a beacon.
There was a stronger signal.
Your card associated with it.
And now you're using their land.
You don't even know it because they gave you a DHCP address.
You clicked on your little Netscape icon.
It popped open to Hotmail.
And you're checking your mail.
And you get arrested.
And you get arrested.
There's a problem here, isn't it?
And that's one of the things you have to deal with.
And that's actually still a lot of talk about.
And let's see.
Credit to Matt.
He helped me a lot in understanding some of the technology and hardware here.
Aaron Peterson wrote all the scripting software.
No relation to Matt.
Too bad Aaron can't make it out of here this year.
Cal, who's probably winding around here somewhere drunk, helped me a lot with Linux drivers
and getting them stuff to even compile in there.
You know.
Everybody knows how much I hate Linux.
So I made him work on it for me.
Wyatt is an awesome guy.
He turns large pieces of metal into small pieces of metal.
We were going to set it up.
But we got a little bit lazy.
This is like a mounting bracket.
A counterweight drops into this.
We actually have that big parabolic dish set up on a tripod.
The whole thing weighs just a little over 10 pounds.
And it's boom, boom, boom.
You set up.
You can hack into somebody 15 miles away.
Oh, yeah.
And two things to point out.
Check out Bay Area Wireless Users Group.
It seems to be the center of a lot of wireless information.
We're working on doing things.
Matt will describe some of the features they're going to be coming up with.
And, of course, at DIS.org, at WI, we're going to have various links.
Eventually build up a better page of the information.
But right now I'm just putting my scripts up for free.
I encourage people to go around, map out networks.
If you actually do a decent job mapping out the network, you know, I would love to add it to my database so I have better statistics.
I don't want just like, oh, yeah, in my town I found one or two if I'm walking around.
No.
I actually need a decent demographic analysis with the GPS locations.
I'll feed into the data and we'll have much better statistics.
So while your intranet wants to be free.
Yeah.
Huh?
Redmond?
I don't know.
When I drive that direction again.
What's that?
Sure.
Matt.
Actually, you're talking about hitting the other things like Redmond and stuff like that.
I'm a virus.
I'm not actually just Pete's space bar boy here.
After Pete started working on this, I had quite recently bought a 1974 VW bus, which is actually a perfect vehicle for doing things like this because it's got a lot of space.
The windows are very easily to tent at, you know, limousine black.
And there's a lot of room for a lot of people with laptops.
It's also one of the few vehicles that's actually designed to hold another large battery.
So we're installing a deep cell marine battery in the back.
We hooked up 110 converters and put in 110 plugs throughout the whole back seat and near the table and the front seat, plus 12-volt converters.
Mounting directional.
I think that's bad.
Yeah.
vehicle.
The only real drawback here is there's an ugly orange with a white top.
How inconspicuous is that?
I think that's bad.
You should check out Wyatt's Bronco, too.
The only problem is he basically Titaniced it at the last Burning Man, and he still thinks it's still full of mud.
Actually, it was like half the car is actually half underground.
We also just installed a big, huge table there that we can use as a workstation.
Everything is all set there.
We're installing antennas on the top, making a lot of them look like cell phones.
We're installing cell phone antennas and so forth.
But basically, in a nutshell, I can have four people scanning and doing whatever they would want.
I'm assuming they're going to be playing Doom while I'm driving.
That's just my guess.
But it's designed, and I can cruise around.
Now, if anyone is even familiar with a VW bus, they really don't go much faster than about 65 miles per hour with a good tailwind.
So it's really a great vehicle for this, except for the unleaded smell you get from the engine in the back.
Environmental terrorists.
VW is my way.
They put out more pollution than almost every other car on the road.
So I'm doing my part for the economy.
So we started designing this and putting it together.
And then what we're going to do is set up with a laptop in the back.
So no matter where I'm going, if I'm going to the grocery store, the moment I get in, it automatically boots up the laptop and starts to scan.
And before Wednesday, when I got laid off, I was actually doing a 150-mile commute all over the place, back and forth, from my car.
And then I'm going to be back home to work.
So the idea here is, as I'm going to work, as I'm cruising around, as I'm sitting there, because of the battery I'm putting in there, the laptop can actually stay on while I'm at work, just kind of waiting for things to happen.
And off we go.
And then I'm going to be turning that data over to Pete for the analysis, especially since I'm in the Sacramento area.
So if you're in Sacramento and you have a wireless network, God bless you.
So before we move on a little bit, any questions, General?
Yeah.
No engine noise problems.
We're talking 2.4 gigahertz as opposed to a couple kilohertz.
Oh, he was asking if there was any problem with engine noise.
Yeah.
Negative.
No.
And also, shielding is really easy to do with aluminum foil.
Actually, anything you use is going to be shielded.
It's a frequency.
Strat?
Try WI or WL.
What are those?
WL?
WWDsorg slash WI or slash WL.
It's in there.
Yeah.
We're going to double check it in a second.
Yeah?
Yeah.
Repeat the question.
Stealth the antenna.
You mean like this?
Oh, yeah.
This is more than enough DB.
No problem.
Do you have a backpack?
Okay.
A trick.
You don't want to...
You really don't want high DB antenna because...
Okay.
The best way to explain DB, if you don't know it, is a light bulb is 1 DB.
You put a reflector underneath it, it's 2 DB.
So, the higher DB of your antenna means the less area it's sensitive to.
So, when you have an omnidirectional high DB antenna, it can only see for a small plate-like
view around it.
So, literally, as you walk by...
He works at Critical Path.
As you go...
Critical Path is an AP available to the public.
As you...
As I approach Critical Path, I get a good signal.
As I get within a block or two, I lose most of the signal because they're above me and
my antenna doesn't have much vertical reception.
So, if you're driving around, you want your antenna to be 5 or 8 DB.
And by the way, this is a nice little 5 DB antenna.
Is that stealth enough?
Yeah.
That'd be in your pocket right there.
Sure.
Yeah.
Yeah.
We'll just sum up.
You want to get your antenna in place.
Cool.
Can you speak up?
We can't hear you.
Why didn't you mention physical address filtering?
Because everybody knows why the patient does that.
Well, physical address filtering's worthless, because I'm going to see your
MAC addresses and I can just assume your MAC address.
Any...
How do you do that?
What's the tool to do that?
Any sniffer program, TCP dump.
What?
Nay.
Windows will do it, literally. Mac address based security is not. Yes, on the Windows
or Unix, you literally just, in ifconfig, you change your Mac address. Yes, really.
When I war drive, my Mac address is dead, dead, dead, dead. I mean, make it easy for
people. No, Mac addresses are easily faked and modified.
So, yeah, even in Windows, you can actually go on the control panel and test that out.
It's pretty easy to do. Basically, anybody with any networking skills
or knowledge actually knows that.
I was being nice.
Okay, so, go ahead. Okay, we'll show.
All right, we already have it set up right here.
Good doing. Okay, everybody know what to
control panel is under Windows? We're not up there.
Newbie track is downstairs. We have a special session tomorrow on changing
your IP address with Windows GUIs. Okay, this is actually, he's under Unix right
here. But, yeah, we can show you how to do it
under Windows, too. But, literally, you just type in the command, and you change it.
They want to see the Windows control panel. All right, they want to play with Windows.
Okay. What are you doing running Windows and coming
to this conference? They're playing Doom.
I run it for PowerPoint. I don't run Windows. These guys do.
But the idea, basically, you can go in the control panel, I'm working on it right now.
But any operating system that supports the wireless cards, whether it's Linux, Windows,
Macintosh, they all let you spoof the Mac address. The reason they let you do that is
because if you set web keys and also on your access points, you can get access to your
point, as a security mechanism, your access point administrator can say, okay, I don't
want to deal with WEP, so instead I'm going to list these three good guys for Windows.
All the drivers have always let you change that for that reason. So it's nothing spoofed,
there's no hacks, there's no diffs. You go into your control panel, we're doing it right
now.
For those who think it's bullshit, as we heard earlier.
I don't know his last name.
Yeah, he's in the Bay Area. He hasn't actually come to any meeting. He just emails me updates
and it's like, cool.
Literally, you go in here, you click on this, you click on properties, you can change it.
Go ahead and do it. Do it for me.
You can.
Actually, you can't do it with this card.
I know.
You don't have to lose the drivers as well.
Okay.
We need the Lucent drivers installed to actually do it.
Hold on, he's going to put it on his machine. He's got the Lucent drivers installed.
I don't have a Lucent card installed.
He doesn't have a Lucent card installed, so it's harder to do on this.
Keep your shirt on. Keep your shirt on.
I can't believe you guys don't believe you can't change addresses.
We just did five times.
We just did it on the Unix system a couple times here. This is amusing.
I just didn't buy the load of the drivers.
Yeah, he didn't put the drivers on. Not on that system. All right.
All right, watch. Hold on.
Blue screen of death.
You got to promise, though, once it's been done, you cannot speak for the rest of the conference, okay?
Yeah.
Hey, Mojo, did you bring baby's first ball gag?
How do I change my Mac address with an Apple iMac?
If you bought an Apple iMac, you have worse problems than changing your Mac address.
Remember, friends don't let friends buy Mac.
Unless they're airports, you know.
Or you need a boat anchor.
All right.
Okay.
I've been talking about companies that have open access that don't realize they're doing it.
There's a lot of people who have access that want to grant.
I mean, at my house, there's an AP. I have the AP outside my firewall.
I don't have web turned on, and I have a default SID.
Why? Because I want my neighbors to have free internet access.
That's nothing. I only put out a few milliwatts.
Matt had actually gone forth. He actually sat on top of his house in Hayward.
And, as opposed to San Francisco, he has areas where he's literally covering huge areas.
Cliff and...
It's your game. You tell them.
Yeah.
So, obviously, I'm a wireless person, not a security person.
I'm coming from a little bit of a different perspective.
This isn't my day job, so I just try to have fun with this stuff.
And, essentially, you can do a lot of fun things with it.
You can basically build these kind of public man's.
I'm trying to get the presentation going up here, but I've got a very slow computer here.
And this is not, obviously, Windows.
I'm not going to do the full presentation because this is not a wireless-specific event.
This is obviously a security event, so it's not appropriate.
But, essentially, we've got a presentation that talks about the basics of 802.11 and what our mission is.
I know.
And I just want to show one slide here, if I can find it.
Let me take a second here.
This is our kind of the typical presentation we do for people that are like, well, what's wireless and what have we done and all that type of stuff.
If anyone's been to Burning Man before, this is how I got kind of addicted to this stuff.
So, let me secure.
What's interesting to note is there's different wireless cards that have different firmware in it.
And what's nice about it is that one of the first cards that came out was the Bay card.
I don't really know about this, but this is the Prism 1 chipset.
So, if you look at the drivers in FreeBSD, at least, you'll note that all the drivers deal with 802.11 in a raw mode.
So, this is a really nice device to do sniffing.
There's a group in Berkeley that did a WEP advisory.
This is the card that they used.
This is a Bay Networks card.
I think it's $60.
It's some surplus places down in the valley.
You can get them on eBay.
What's nice is this has got the Prism 1 chipset.
Then what happened is the people at Intercell got their asses slapped and they made Prism 2.
And if you're looking at Prism 2, you've got a couple different designs.
You've got a reference design, which is your D-Links and your Linksys and that sort of thing.
These are very generic cards.
What's nice about them is you can actually hack external connectors to them.
Some of them are 30 milliwatts.
Some are 50 milliwatts.
These are really nice.
They have a different firmware, which is a reference firmware.
The Orinoco cards have their own firmware.
They basically bought Prism 2,
deal with it, and did their own thing with it.
What's nice about their cards is they've got this external connector.
Hacking connectors is...
Everyone's got different ways of hacking connectors.
But these cards are really cheap.
They're like 80 bucks at Fry's now.
So if you break it, no big deal.
If you're driving around, you need an external connector.
And for GPS, the Mighty Mouse 2 GPS antenna,
give you a link, even in tall cities.
Now, even more exciting is Aeronet,
which Cisco bought out about a year ago.
Aeronet was an Ohio-based company.
This card is 100 milliwatts.
And what's nice about it is they've taken the firmware to the next step.
Their firmware is really cracked out,
but it's really powerful in the sense that they can do bridging in repeater mode.
And it's a really sweet card because the 100 milliwatt makes a difference.
You saw the screen capture of just, I guess,
the Orinoco control panel in downtown San Francisco.
With this card, I found about a dozen networks.
With this card, I found about 40.
It does make a difference.
And in the case of my house, I've got an omnidirectional antenna on the chimney.
I'm obviously roaming around inside of the house.
This makes a big improvement.
I get the five bars instead of three.
Not that I run Windows.
This is the Cisco 350 PCM model.
They have one that does not have a built-in antenna.
It's the LCM model.
And it's got MMCX connectors,
so you can build your own access point,
which is the ultimate war-driving machine.
It's really sweet because it is 100 milliwatt,
and you don't really need to buy an amp if you're kind of poor and whatnot.
Because amps are very expensive.
They're about $400 to get a one-watt amp.
People ask, why are we doing the Wi-Fi thing for free?
And there's a lot of groups doing this.
I started this after Burning Man,
where I built a network out there for Art Project and just anyone else to use.
It did not have external Internet access.
A gentleman by the name of John Gilmore,
if you've ever heard of Sun Microsystems or EFF,
he brings the Internet out there.
He builds his network, we build our network.
Ours is a little bit more reliable
because we don't have to deal with all that Internet foo.
And the idea was basically,
people have got art projects,
and there's a neat project called Spin.
And essentially, Spin is an LED thing that's spinning around,
and it's an optical illusion.
And this guy made this big fancy visual basic software
where you can make your own animation,
you can make stars,
and you can make a Pac-Man thing.
And it was great and all,
but no one downloaded the software and sent him animations.
So if you're a Burning Man,
you'll be able to go to a kiosk booth on an X-Terminal
and type in your message or make your animation,
and it'll be sent out over Plionet to this guy's art project.
So that's really the goal of Plionet.
When we did that, I came back to the Bay Area,
and Wired and all these companies were attacking me
and saying, hey, we need an interview,
what are you guys doing?
And obviously my inbox got really full of saying,
well, did you guys do anything illegal?
It's Burning Man, everything out there is illegal.
That sort of thing.
Yeah, exactly.
We did have one-watt amps.
I won't say what the gain of the antenna was.
The FCC speculates how much radiated energy.
They don't specify how many watts your amplifier is
or how good things are.
So basically they care about how much radiated energy.
So if you're at the full maximum wattage of your amplifier
and a really, really good antenna,
you're illegal.
Exactly.
There's other groups doing this.
BayWog is very generic.
It's a 311B because it's cheap.
It's really fun to deploy.
Bluetooth, we don't even talk about.
It's dead.
HomeRF is coming down the pipe,
but it probably will die too.
But this stuff is so cheap.
In the next six months,
it's going to be a whole other ballgame.
You're going to have laptops that already have this built in.
You've got PDAs that have this already.
What's great about BayWog is since we're not saying
that we're building a specific network,
we attract a pretty diverse crowd.
So we've got ham operators, we've got VCs,
we've got self-startups that are specific to 802.11b and A.
And they talk to me.
And I don't sign NDAs.
And what's nice about it is that
they've got a lot of neat products coming out.
So in the next six months,
this is all going to be crap.
Because there's going to be NetBSD-based solutions,
there's going to be Linux solutions,
APs are going to be a lot more cheaper.
It's just getting better and better and better.
And obviously,
word driving is pretty exciting in the sense that
there's more and more networks
that are just being deployed everywhere.
There's a lot of news about the word driving stuff.
You won't believe how much email I got,
how many people were responding to it.
It's insane.
And who's good idea was to leave the vodka up here?
There's some interesting projects going on.
This is an antenna hack where they've got
a Primestar dish and a tin can.
This, however, is not the best hack I've seen.
The guys in Spassable, O'Reilly,
everyone's heard of those books.
There's a project called NoCat.net.
That's N-O-C-A-T dot net
as in NoCat 5 involved.
They essentially have a Pringles can
with an end connector, and that's $10,
so it's a lot cheaper than this.
The connector is the most expensive part.
Building networks is pretty interesting.
How that works,
and I'm going to try to bring up an image here
that you can see.
Here's the frequencies, obviously,
the ones that don't overlap.
Let's see if we can get this link here.
This is going across the bay
between my house
and Hayward there.
San Jose is down at the bottom.
You've got Oakland, San Francisco, and Millbrae.
This is a 20-mile link.
Originally we were using Intel 2011 access points,
which are really kind of sweet
because they do something called WLAN mode.
They can be an access point
and a LAN bridge at the same time.
The problem is that they don't do this too well.
If they lose their link,
they just reboot in the cycle.
They're not very good for doing bridges long term.
Now we're switching with WAP11s,
which are $200.
If they're accidentally released,
you can do bridging with them.
Now you're looking at about $200
for the access point that you can do bridge mode on.
You get your pigtail,
and you've got your antenna,
and you've got a point-to-point link
for less than $500.
This didn't exist a couple years ago.
You had projects like SFLAN and the Presidio
that was using your frequency hopping equipment
and Breezecom equipment and whatnot.
This stuff has gotten so much cheaper,
and the price is really dropping.
What's great about it is you don't need
to be doing Baywug or NoCat
or NYC Wireless.
You can do it with yourself.
If you've got DSL and your friend down the street
outside of the DSL zone,
and you can see each other, set up a link.
It's quite simple to do,
and the price is dropping on it.
One of the things that's interesting
is calculating,
is this link going to work?
There's some commercial software
which is pretty expensive to do path analysis.
Obviously,
it's not in the
I can't afford that.
That's for sure.
This is the access point
at First and Folsom in San Francisco.
I didn't take that picture.
This is the getaway of doing
where does it cover?
We're just walking around, clicking scan,
and then we took a map and draw it out.
This is the coverage
with a 15 DBI Omni
with an Aeronet access point
of 100 milliwatts.
There's a bunch of tall buildings around here.
I wanted to show the picture.
This is the terrain navigator.
That's really
just real quickly some of the stuff
that we're working on.
Tim Posar is another guy involved
with the BayWog.
There's a lot of other groups in different areas
throughout the country.
On the west coast, you're looking at BC Wireless
up at the top, Seattle Wireless.
Personal Telco is personaltelco.net.
They're in Portland.
We've got nocat.net
and Spassable up at O'Reilly.
Bay Area Wireless user group is throughout the Bay Area.
I think there's a group in San Diego
moving more towards
the east coast.
You've got NYC Wireless
and many other projects popping up.
What's really happening is people are really excited
about this technology.
They're saying, how do I get rid of my DSL
and join this big man and all that type of stuff.
In reality, this stuff wasn't designed to create a man.
It wasn't designed to compete with Ricochet.
It was designed to connect two buildings
or to put an access point to roam around
in your conference room.
We're really pushing the limits with this.
The access point vendors don't like us doing that.
We're going to the next step
where we're buying cards, we're hacking antennas,
and then we're looking at getting old 46s,
Linux boxes, free BSD, whatever,
and building our own routers
and that sort of thing.
Our mission probably within the next six months
is really cookie-cuttering this thing out
in the sense that you'll be able to buy
this motherboard that's stripped down.
It's got its PCMCA slots
and it's got its mini PCI
and it's got its compact flash and its console.
You download this software.
It's got the captive portal and it's good to go.
You get this card and here's how you hack it.
This guy in your area has an LMR 400 crimper.
Boom, boom, boom.
You're good to go.
That's really what we're moving to here.
A lot of people ask us,
what's going to happen when we do this?
We don't really know.
It's very organic.
It's just like the internet.
Different projects are doing different things.
I see wireless has got a couple of access points
within New York.
You've got access for free.
You're welcome to use that network.
We're working on different ways.
You can put the SSID
and call it free network or whatever.
The reality is
people are going to pop onto your network.
To be secure, you can't just put
a simple firewall in between.
We're looking at doing snort and IDS
and reversing
the firewall methodology.
It's a big project to do this
because none of this stuff exists.
The manufacturers are really confused
right now.
What do we do?
We're selling these $200 Linksys
for people to put at home.
Now all these free wireless people
are building networks.
What do we do?
Cisco right now has a major problem
because all these dot bombs are dying.
All their switches and their routers
you can buy at surplus auctions.
The only thing they're selling right now
is Aeronet cards.
They're all back ordered.
They don't know why people
are buying them so much.
They don't know where this market share is going to.
I'm not bullshitting.
Cisco people come to our meetings
and I'm like, whoa, what are you guys doing?
It's really interesting what they're looking at.
They made a definitely good acquisition
of Aeronet from Ohio last year.
That was a good plan.
That was my
quick overview of the slideshow.
Like I said, baywog.org
nycwireless.net
You've got personal
telco, nocat.net,
Seattle Wireless.
The list goes on.
Probably around November or October
we're going to work on a wireless summit
somewhere in the Bay Area
where it will be formed like this,
like a workshop type environment.
How do you build that Pringles can antenna?
How do you do war dialing?
How do you build antennas,
big omnidirectional antennas?
What's the best access point to buy?
This is definitely a movement
that people should be aware of.
The idea of saying, oh, Peter's driving around
and he's war dialing and that's all bad.
It's really useful for us to get
the statistical information to see what's out there.
Then we can approach these companies
and say, hey, by the way,
X Microsystems,
you guys make those great computers there.
Your network's not very secure.
Why don't you
put this out in the DMZ?
All the major firewall companies
in the Bay Area have open WANs.
Sorry to cut you off a little bit.
We have five more minutes,
so we might as well answer a few more questions.
Right there.
The question is,
how do we deploy a network
in parts of San Francisco
to cover all of San Francisco?
From an RF standpoint,
and I'm not an RF person,
I'm not a ham or anything,
it's really hard to do right now
because if you go to certain places
in downtown San Francisco,
there's already 40 access points you can hear
and the default configuration
with the default channel.
Half of them are using Channel 1 or Channel 11.
It would take a lot of coordination
to pull that off.
The problem is this stuff is not really designed
to do repeating and whatnot. You'd literally have to pull a T1 in to each location.
If the analysts already dare at these companies,
let's give them a Linux box that's got DMZ in a box
and they can do it.
That's not our immediate goal right now.
We're looking at more getting that software made,
getting that box made,
instead of covering the entire city.
It would take a lot of work and effort.
There are some stealth startups that are proposing that,
but it's really hard because the only wireless companies
right now, like Mobile Star
that's got the Starbucks thing
and Wayport and those other ones,
they're not making money.
And we're not in it for the money, so we're not going anywhere.
Here's a map of New York, by the way.
Starbucks.
The blue dots are where we drove,
the red dots are where we hit Starbucks network,
and the green crosses are where the Starbucks
actually are.
Obviously we haven't covered everything in Manhattan,
but we've hit 1,400 base stations already.
Questions?
A good trick when we're driving?
Take the bus.
What do you mean?
It's just efficient?
Get back?
Get drunk?
Mass transportation like barges is a lot of fun.
What?
What's the percentage of the corporate networks
we're hitting while we're driving?
Encrypted.
10 to 15%, maybe.
That's it.
And Terry in New York said it's a lot more in New York.
So we're looking at 75 to 85% encryption in the financial center area.
We're looking at 75 to 85% in the financial center area.
I don't know.
Bechtel in San Francisco is wide open.
Questions?
Oh, London is pretty fertile also.
Guy right there.
Tons.
Tons.
Tons.
Incredible amounts.
I'm very sure there's a lot of people,
a lot of other people's networks that don't know it.
In addition we have two APs in the same channel
that are going to stomp all over each other
and reduce your efficiency in half at least.
And this has been demonstrated by the network at this event.
And this has been demonstrated by the network at this event.
when you've got, you know, kitties arf-spooping all night long.
Question over here.
Well, this is the best place for access.
Over wireless.
The tent.
Yeah, we got the height.
Also, the bar downstairs is pretty good.
And it fits two purposes.
The drink.
All right, any more questions?
All right, got any in the front?
After this, we'll probably walk down to the bar.
So if you'll buy us a beer, we'll answer more questions.
How far, like, are some places set up?
For instance, inventory control, like Best Buy.
Wide open.
Yeah.
I really want to take my VW bus to Washington, D.C.
Hey, you're already in the capital of California.
State capital.
Yeah, I'm at the state capital of California right now,
and that's going to be entertainment value 101.
So, is that it for questions?
All right, all right, one more.
Speak louder.
No, at that frequency, I have no real,
I don't have to detect any Doppler programs.
I'm really effective around 40, 45 miles an hour.
I've done efficient scans around 80 miles an hour.
And it's not going to affect my bus at all.
No.
So, I think that's it for questions.
Yeah, I think we've run out of time.
Thanks.
I'd just like to make one recommendation
to no one in specific,
but a good book they should probably read
is Networking for Dummies.
Thank you.
